Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

2156 Nachi ICMP Echo Request Question

Before we enabled this signature, we would catch MSBlaster/Nachi infected machines using the 3327 (RPC DCOM Overflow) and 3328 (SMB/RPC NoOp Sled) signatures.

Now that 2156 is enabled, infected machines trigger all three.

My question is this however. Sometimes we get machines that just trigger 2156 and none others. In fact in a 30 minute period, a source machine could easily generate 30,000+ 2156sig events.

So I'm wondering, since the other two signatures are never triggered, what exactly is going on with these machines? Is there some mutation, or other worm, out there that pings, or has re-used the pinging code from Nachi?

When we find these suspect machines, we run scanms.exe/retina.exe etc against them, and they are sometimes reported as patched (which leads me to believe that something else is going on).

Any assistance is much appreciated, thanks.

3 REPLIES
New Member

Re: 2156 Nachi ICMP Echo Request Question

This is classic Nachi. The machine infects a vulnerable host, patches it, trys to infect others...then stops...all the while it is spewing the Nachi Echo Request packets which never stop.

These boxes are infected with Nachi, but are not vulnerable...just noisy in terms of the network.

New Member

Re: 2156 Nachi ICMP Echo Request Question

I understand that machines can remain infected even though patched.

My question was that so far, all identified Nachi infections trigger three signatures (the ones mentioned above).

BUT periodically we see machines that just trigger the 2156 signature and no others. And so I was wondering if this can be classed as Nachi in such a black and white manner, or if there indeed may be something else going on.

New Member

Re: 2156 Nachi ICMP Echo Request Question

Just as a note, could this be the Nachi patcher worm? It perhaps uses the same discovery mechanism as Nachi (hence the 2156 signature match), but does not trigger the other DCOM signatures.

Is this plausible? I can't remember what this was called, or if there was one.

98
Views
0
Helpful
3
Replies
CreatePlease to create content